Contents x
    Secure Data Transfer with AWS SSM
    • 3 Minutes to read
    • Dark
      Light
    Contents

    Secure Data Transfer with AWS SSM

    • 3 Minutes to read
    • Dark
      Light
    Article summary

    AWS Systems Manager (SSM) is a service that allows you to manage resources on AWS, including instances, VMs, containers, and services, from a central location. It provides capabilities for configuration management, automation, and security management, simplifying operational tasks and improving efficiency in managing AWS infrastructure.

    DATADDO TIP

    This articles covers configuring SSH tunnelling via AWS SSM. See Secure Data Transfer with SSH Tunnelling for a general setup.

    To set up SSH tunnelling through AWS SSM, see the following sections.

    Prerequisites

    To set up SSH tunneling through AWS SSM in Dataddo, ensure that

    • You have an AWS EC2 instance that acts as an SSH bastion server.
    • The bastion server accepts incoming SSH connections from Dataddo IPs.

    You can refer to the architecture as illustrated in the schema below.

    SSH tunnel

    Create and Set up a Bastion Host

    Create a Bastion Host

    Create a new instance to be a bastion host, or configure your existing one.

    1. Go to your Amazon EC2 console and click on Launch instance.
    2. Name your instance and select the following:
      1. Application and OS Images: Select a minimal and secure Amazon Machine Image (AMI), such as Amazon Linux 2 with a pre-installed SSM Agent.
      2. Instance type: Choose a minimal instance type (e.g., t3.micro or t3a.micro).
      3. Key pair (login): Click on Create new key pair. Name it and select RSA type and .pem key file format. A key will download automatically to your device which you will later upload to Dataddo.
    3. For Network settings, make sure Allow SSH traffic from box is checked and select Custom. To allows SSH traffic from Dataddo, add all Dataddo IPs (https://docs.dataddo.com/docs/network-acl) using CIDR notation as individual rules.
    4. Launch your instance.

    Integrate Bastion Host with AWS SSM

    1. In your AWS console, use the search bar to navigate to IAM service.
    2. Go to Roles and click on Create role.
    3. For Use case, select EC2 and click on Next.
    4. On the Set permissions step, look for the AmazonSSMManagedInstanceCore policy and add it (check the box on the left). This role will enable the bastion host to communicate with AWS SSM.
    5. Name the role, review, and add it.

    Now, attach this IAM role to the bastion host for proper SSM functionality.

    1. In your EC2 dashboard, navigate to Instances and select the bastion host instance.
    2. In the top-right, click on Actions, select Security and click on Modify IAM role.
    3. Select your newly created role with the AmazonSSMManagedInstanceCore policy and click on Update IAM role.

    Make sure to connect your database to the instance.

    Authentication Using a Public/Private Key Pair

    We recommend using a public and private key pair for authentication. While password-based authentication is an option, it's less secure and not recommended. As illustrated in the schema above, ensure

    • The private key is provided to Dataddo, and
    • The public key is automatically assigned to the SSH bastion server.
    1. Go to the Security page and navigate to the Certificates tab.
    2. Click on Add Certificate.
      1. Name your certificate.
      2. For certificate type, select RSA Private Key
      3. Upload your private key.
    3. Save your certificate.

    Generate a New Public/Private Key Pair

    Alternatively, Dataddo can generate a public/private key pair for you. In this scenario, you only need to ensure that the public key is uploaded to your SSH Bastion Server. For this option, please contact us.

    Configuring SSH Tunnel to Data Destination

    Dataddo supports SSH tunneling for a variety of AWS systems, including, but not limited to, Redshift, SQL Server, MySQL or Postgres.

    To establish a connection via an SSH tunnel, follow these steps:

    1. Navigate to Authorizers and click on Authorize New Service to select a service or system of your choice (e.g. MySQL, Postgres, Redshift ...).
    2. Fill in the standard database connection details.
    3. Choose Yes for the Use SSH tunnel field.
    4. Input the necessary information for your SSH bastion server:
      1. SSH Server IP or Hostname: Enter the IP address of your SSH server. Ensure your firewall settings permit incoming connections from Dataddo IPs.
      2. SSH Server Port: Specify the port for the SSH connection (the default is usually 22).
      3. SSH Server Username: Provide the username for authentication. The username depends on your AMI. See Amazon's official documentation for list of default usernames.
      4. SSH Server Password: Leave the field empty and select your certificate instead.
      5. Certificate: Select the Certificate you uploaded to Dataddo in the previous step.
    Was this article helpful?
    What's Next